Details of VAR-202111-0058

ID

VAR-202111-0058

CVE

CVE-2021-42698

TITLE

DAQFactory Untrusted Data Deserialization Vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2021-003937

DESCRIPTION

Project files are stored memory objects in the form of binary serialized data that can later be read and deserialized again to instantiate the original objects in memory. Malicious manipulation of these files may allow an attacker to corrupt memory. DAQFactory There is a vulnerability in deserialization of untrusted data.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. DAQFactory is a software and application development platform that provides various tools that allow you to easily create HMI/SCADA applications. A deserialization vulnerability exists in DAQFactory 18.1 Build 2347 and earlier

Trust: 2.16

sources: NVD: CVE-2021-42698 // JVNDB: JVNDB-2021-003937 // CNVD: CNVD-2021-85894

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2021-85894

AFFECTED PRODUCTS

vendor:	azeotech	model:	daqfactory	scope:	eq	version:	18.1	Trust: 1.0
vendor:	azeotech	model:	daqfactory	scope:	lte	version:	18.1	Trust: 1.0
vendor:	azeotech	model:	daqfactory	scope:	eq	version:	-	Trust: 0.8
vendor:	azeotech	model:	daqfactory	scope:	-	version:	-	Trust: 0.8
vendor:	azeotech	model:	daqfactory build	scope:	lte	version:	<=18.12347	Trust: 0.6

sources: CNVD: CNVD-2021-85894 // JVNDB: JVNDB-2021-003937 // NVD: CVE-2021-42698

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-42698
value:	HIGH
Trust: 1.0
ics-cert@hq.dhs.gov:	CVE-2021-42698
value:	HIGH
Trust: 1.0
NVD:	CVE-2021-42698
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2021-85894
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202111-470
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2021-42698
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2021-85894
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2021-42698
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	5.9
version:	3.1
Trust: 2.0
OTHER:	JVNDB-2021-003937
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2021-85894 // JVNDB: JVNDB-2021-003937 // CNNVD: CNNVD-202111-470 // NVD: CVE-2021-42698 // NVD: CVE-2021-42698

PROBLEMTYPE DATA

problemtype:	CWE-502	Trust: 1.0
problemtype:	Deserialization of untrusted data (CWE-502) [ Other ]	Trust: 0.8

sources: JVNDB: JVNDB-2021-003937 // NVD: CVE-2021-42698

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202111-470

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-202111-470

PATCH

title:	Top Page	url:	https://www.azeotech.com/j/index.php	Trust: 0.8
title:	AzeoTech DAQFactory Fixes for code issue vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=169060	Trust: 0.6

sources: JVNDB: JVNDB-2021-003937 // CNNVD: CNNVD-202111-470

EXTERNAL IDS

db:	ICS CERT	id:	ICSA-21-308-02	Trust: 3.0
db:	NVD	id:	CVE-2021-42698	Trust: 3.0
db:	JVN	id:	JVNVU91156086	Trust: 0.8
db:	JVNDB	id:	JVNDB-2021-003937	Trust: 0.8
db:	CNVD	id:	CNVD-2021-85894	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.3696	Trust: 0.6
db:	CS-HELP	id:	SB2021110801	Trust: 0.6
db:	CNNVD	id:	CNNVD-202111-470	Trust: 0.6

sources: CNVD: CNVD-2021-85894 // JVNDB: JVNDB-2021-003937 // CNNVD: CNNVD-202111-470 // NVD: CVE-2021-42698

REFERENCES

url:	https://us-cert.cisa.gov/ics/advisories/icsa-21-308-02	Trust: 3.0
url:	https://jvn.jp/vu/jvnvu91156086/	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2021-42698	Trust: 0.8
url:	https://www.auscert.org.au/bulletins/esb-2021.3696	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021110801	Trust: 0.6

sources: CNVD: CNVD-2021-85894 // JVNDB: JVNDB-2021-003937 // CNNVD: CNNVD-202111-470 // NVD: CVE-2021-42698

SOURCES

db:	CNVD	id:	CNVD-2021-85894
db:	JVNDB	id:	JVNDB-2021-003937
db:	CNNVD	id:	CNNVD-202111-470
db:	NVD	id:	CVE-2021-42698

LAST UPDATE DATE

2024-11-23T22:10:58.693000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2021-85894	date:	2022-01-18T00:00:00
db:	JVNDB	id:	JVNDB-2021-003937	date:	2021-11-10T09:12:00
db:	CNNVD	id:	CNNVD-202111-470	date:	2021-11-10T00:00:00
db:	NVD	id:	CVE-2021-42698	date:	2024-11-21T06:27:59.767

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2021-85894	date:	2021-11-10T00:00:00
db:	JVNDB	id:	JVNDB-2021-003937	date:	2021-11-10T00:00:00
db:	CNNVD	id:	CNNVD-202111-470	date:	2021-11-05T00:00:00
db:	NVD	id:	CVE-2021-42698	date:	2021-11-05T16:15:07.823